NeuroPlug: Plugging Side-Channel Leaks in NPUs using Space Filling Curves

TL;DR

NeuroPlug tackles side-channel leakage in DNN NPUs by introducing a multiplicative noise factor $C$ derived from feature-map compression, and mapping computations to a 1-D space via space-filling curves (SFCs) for tiling, compression, and binning. The authors develop a Mellin-transform based framework to quantify the adversary's search space under observed data and side-information, proving that the effective space dramatically increases while maintaining performance. Empirical results show NeuroPlug delivers about 15% performance improvement over the nearest competing scheme and achieves near-random leakage profiles under multiple attacks, including HuffDuff and Reverse Engg. The approach combines theoretical rigor with hardware realizations (ASIC/FPGA) and demonstrates robust defense across SS, KK, and SI class attacks, offering a scalable, tunable security mechanism for NN accelerators. The work advances the state-of-the-art in DNN architecture protection by integrating mathematical obfuscation with practical 1-D computation and compression, enabling secure, efficient NN inference in resource-constrained devices.

Abstract

Securing deep neural networks (DNNs) from side-channel attacks is an important problem as of today, given the substantial investment of time and resources in acquiring the raw data and training complex models. All published countermeasures (CMs) add noise N to a signal X (parameter of interest such as the net memory traffic that is leaked). The adversary observes X+N ; we shall show that it is easy to filter this noise out using targeted measurements, statistical analyses and different kinds of reasonably-assumed side information. We present a novel CM NeuroPlug that is immune to these attack methodologies mainly because we use a different formulation CX + N . We introduce a multiplicative variable C that naturally arises from feature map compression; it plays a key role in obfuscating the parameters of interest. Our approach is based on mapping all the computations to a 1-D space filling curve and then performing a sequence of tiling, compression and binning-based obfuscation operations. We follow up with proposing a theoretical framework based on Mellin transforms that allows us to accurately quantify the size of the search space as a function of the noise we add and the side information that an adversary possesses. The security guarantees provided by NeuroPlug are validated using a battery of statistical and information theory-based tests. We also demonstrate a substantial performance enhancement of 15% compared to the closest competing work.

Figures (17)

• Figure 1: The overall scheme
• Figure 2: The system design and the threat model (similar to reversehuffduffneurobfuscator). An adversary snoops the address and the data buses to infer the memory access patterns.
• Figure 3: SS attack: Adding dummy writes (784) to obfuscate the true writes (1568) in the scaled version of the first layer of Vgg16 ($32 \times 32 \times 3$). Adversaries eliminate the dummy writes as they are not read in the subsequent layer (Liu et al.mitigating)
• Figure 4: KK attack: A noise with a hardwired mean value of 22400 is added to obfuscate the actual volume of the first layer of Vgg16 ($224\times 224\times 3$) neurobfuscatorobfunas. The adversary will eliminate the noise using an SS attack followed by the Kerckhoff's (KK) attack
• Figure 5: SI attack: Layer divider technique dnncloak to obfuscate RAW dependencies. The adversary filters out the fake RAW dependences by checking the unchanged values.